On the (In)security of the Fiat-Shamir Paradigm, Revisited

— A merged version of this work and the work of [BGW12] appears in the proceedings ofthe Theory of Cryptography Conference - TCC 2013 —

On the (In)security of the Fiat-Shamir Paradigm, Revisited

Dana Dachman-SoledMicrosoft Research

Abhishek JainUCLA

Yael Tauman KalaiMicrosoft Research

Adriana Lopez-AltNew York University

Abstract

The Fiat-Shamir paradigm [CRYPTO’86] is a heuristic for converting 3-round identifica-tion schemes into signature schemes, and more generally, for collapsing rounds in public-coininteractive protocols. This heuristic is very popular both in theory and in practice, and manyresearchers have studied its security (and insecurity).

In this work, we continue this study. As our main result, we show that for many wellstudied interactive proofs (and arguments) the soundness of the Fiat-Shamir heuristic cannotbe proven via a black-box reduction to any falsifiable assumption. Previously, the insecurityof this paradigm was exemplified only when applied to interactive arguments (as opposed toproofs).

Using similar techniques, we also show a black-box impossibility result for Micali’s CS-proofs [FOCS’94]. Namely, we prove that there exist PCPs such that for “sufficiently hard” NPlanguages, Micali’s CS-proof cannot be proven sound via black-box reduction to any falsifiableassumption.

These results are obtained by extending the impossibility of two-message zero knowledgeprotocols due to Goldreich and Oren [J. Cryptology’94].

1

1 Introduction

In 1986, Fiat and Shamir [FS86] proposed a general method for eliminating interaction from anypublic coin protocol by replacing the verifier with a hash function. Initially, this heuristic wasproposed for the sake of transforming three-round public-coin identification (ID) schemes intodigital signature schemes, as known ID schemes (in which a sender interactively identifies himselfto a receiver) were significantly simpler and more efficient than known signature schemes. Indeed,this so called Fiat-Shamir heuristic, quickly gained popularity both in theory and in practice, as ityields efficient and easy to implement digital signature schemes.

The Fiat-Shamir heuristic also had important applications outside the regime of ID and sig-nature schemes. For example, it was used by Micali in his construction of CS-proofs [Mic94].More generally, the importance of the Fiat-Shamir heuristic stems from the fact that the latencyof sending messages back and forth has been shown to often be the bottleneck in the running ofcryptographic protocols [MNPS04,BDNP08].

The main question is: Is the Fiat-Shamir heuristic sound? Indeed, due to the popularityand importance of the Fiat-Shamir heuristic, many researchers have tried to prove or disprove itssecurity. In particular, Pointcheval and Stern [PS96] proved that the Fiat-Shamir heuristic is securein the so called random oracle model (formalized in [BR93]) – when the hash function is modeledby a random oracle. In contrast, Barak [Bar01] gave an example of a constant-round public-coinprotocol such that when the Fiat-Shamir heuristic is applied to it, the resulting 2-round protocolis not sound. In a followup work, Goldwasser and Kalai [GK03], gave such an example for a 3-round public-coin ID scheme. However, both these negative results are for protocols that are onlycomputationally sound, also known as arguments.

The main question that remained open is: Is the Fiat-Shamir heuristic sound when applied toproofs? Many researchers have investigated this question. However, despite numerous efforts, thereis still no satisfying answer. We refer the reader to Section 1.2 for details on these related works.

1.1 Our Results

In this work, we continue the study of the Fiat-Shamir paradigm and obtain several new results.Below, we state our results very roughly, followed by a more detailed explanation.

1. We show that for many well-studied public-coin interactive proofs (and specifically, three-round ID schemes), the soundness of the Fiat-Shamir heuristic cannot be proven via a black-box reduction to any falsifiable assumption.

2. Using similar techniques, we show a black-box impossibility result for proving soundness ofMicali’s CS-proofs [Mic94] based on any falsifiable assumptions. In contrast to [GW11], ourresult also holds for non-adaptive cheating provers, who choose the instance before seeing theverifier’s message.

Roughly speaking, an assumption is said to be falsifiable [Nao03] if it can be modeled as an inter-active game between the adversary and a challenger who can efficiently decide if the adversary wonthe game. This includes essentially all standard assumptions used in the cryptographic literature,such as one-way functions, trapdoor permutations, RSA, DDH, LWE, etc.

We now elaborate on our results.

2

Black-box impossibility result for the Fiat-Shamir paradigm. As our main result, we showthat for any sub-exponentially hard language L, if a public-coin interactive proof (or argument)system for L is honest-verifier zero-knowledge (HVZK) against sub-exponential size distinguishers,then the Fiat-Shamir heuristic applied to this protocol cannot be proven sound via a black-boxreduction to a falsifiable assumption.

Moreover, we argue that many of the known protocols are honest-verifier zero-knowledge againstsub-exponential size distinguishers. For example, the well known 3-round (Σ-)protocol for quadraticresiduosity (QR) due to Blum [Blu81], is perfect HVZK . Thus, our result implies that the Fiat-Shamir heuristic cannot be proven sound (via a black-box reduction to a falsifiable assumption)when applied to Blum’s QR-protocol, assuming it is hard to break the QR assumption in sub-exponential time. Similarly, Blum’s protocol for Graph Hamiltonicity [Blu87] is HVZK againstsub-exponential size distinguishers assuming the underlying commitment scheme is hiding againstsub-exponential size adversaries. Since Graph Hamiltonicity is an NP-complete language, our re-sult implies that the Fiat-Shamir heuristic cannot be proven sound (via a black-box reduction toa falsifiable assumption) when applied to Blum’s Graph Hamiltonicity protocol, assuming the un-derlying commitment scheme is hiding against sub-exponential size adversaries and the existanceof NP languages that are sub-exponentially hard.

More generally, we show that for any T (κ)-hard NP language L, for any public-coin interactiveprotocol for L with messages of length O(log T ), if the protocol is T -honest-verifier zero-knowledge(T -HVZK) then the soundness of the Fiat-Shamir heuristic applied to this protocol cannot beproven via a black-box reduction to a T -hard falsifiable assumption. Very roughly, we say thatprotocol is T -HVZK if an honest interaction between the prover and the verifier can be simulatedin time poly(T ) such that no distinguisher running in time poly(T ) can distinguish between asimulated view from the real view. We refer the reader to Section 2 for the formal definitions.

Note that many protocols (such as the two protocols mentioned above; see [CD09,AJL+12] formore examples) have constant soundness error and are therefore repeated many times in parallel toreduce the soundness error. To save on communication, it is desirable to repeat the protocol only` = poly log(κ) times since this already achieves negligible soundness error. However, our mainresult implies that if the language L (being proved) is quasi-polynomially hard, and the protocol isκlog κ-HVZK (which is the case for many of the protocols for which we would like to apply the Fiat-Shamir heuristic), then the Fiat-Shamir transformation cannot be proven sound via a black-boxreduction to a (super-polynomially hard) falsifiable assumption.

On the connection between zero-knowledge and Fiat-Shamir. We note that the connection betweenzero-knowledge and the (in)security of Fiat-Shamir paradigm was already made in prior works. Inparticular, Dwork et al. [DNRS99] showed that if a public-coin interactive protocol is “weakly”zero-knowledge (where the ZK property is weakened by changing the order of quantifiers in thestandard ZK definition, but requiring the simulator and distinguisher to be polynomial time) thenthe Fiat-Shamir heuristic applied to this protocol is not sound. We note however, that knownpublic-coin protocols where Fiat-Shamir heuristic would typically be applied, are not known tosatisfy their zero-knowledge property. In contrast, we only require the protocol to be honest-verifier zero-knowledge w.r.t. sub-exponential adversaries, and show that this property is satisfiedby many well-known protocols (under some assumptions). We refer the reader to Section 1.2 for amore detailed comparison of our results with prior works.

3

Separating CS-proofs from falsifiable assumptions. We use the above results to obtaina black-box impossibility result for CS-proofs, as defined by Micali [Mic94]. A CS-proof is a 2-round argument for any NP statement,1 where the communication complexity depends only onthe security parameter κ, and is independent of the instance length. CS-proofs are obtained byapplying the Fiat-Shamir heuristic to Kilian’s 4-round succinct argument [Kil92]. We show thatthere exist PCPs (with zero-knowledge properties), such that when using these PCPs, Kilian’sprotocol is perfect honest-verifier zero-knowledge. Thus, we conclude that the resulting CS-proofscannot be proven secure via a black-box reduction to a falsifiable assumption if the underlyinglanguage is sub-exponentially hard. We elaborate on this result in Section 5.

On 2-round zero-knowledge. Finally, we note that the technique underlying our black-boximpossibility results is an extension of the negative result for 2-round zero-knowledge due to Gol-dreich and Oren [GO94]. Specifically, we show that for any T -hard language L, there does notexist a 2-round argument system for L that is (a) (auxiliary-input) T -zero-knowledge (i.e., wherethe view of every PPT cheating verifier can be simulated in time poly(T ) so that no poly(T )-timedistinguisher can distinguish between the real view and the simulated view), and (b) soundness canbe proven via a black-box reduction to a T -hard falsifiable assumption. We believe this result isof independent interest, and elaborate on it in Section 3. We refer the reader to Section 1.2 for acomparison of our result with the work of Goldreich and Oren [GO94] and the work of Pass [Pas03].

A note on our black-box impossibility results. We clarify that our results are different frommost black-box impossibility results in the literature (e.g., [IR89,Sim98,GKM+00,GMR01,RTV04,BMG07,BMG09]) which show that some primitive A (e.g., key-agreement) cannot be constructed bymaking black-box use of another primitive B (e.g., one-way functions). In contrast, our black-boxseparation results follow the paradigm of showing that the security of a concrete scheme cannotbe based on a large class of concrete assumptions when the reduction treats the attacker as ablack-box. Known examples of such results include [Cor02,DOPS04,HH09,GW11,Pas11,DHT12].

1.2 Related Work

Fiat-Shamir paradigm. Dwork et al. [DNRS99] (and independently, Hada and Tanaka [HT98])observed the relation between the existence of 3-round zero-knowledge proofs and the (in)securityof the Fiat-Shamir paradigm. Very roughly, the intuition is that if a given 3-round public-coinprotocol is zero-knowledge, then for every verifier, there exists a simulator that can simulate theverifier’s view. Observe that the Fiat-Shamir paradigm uses a hash function as the program ofthe verifier. Thus, one may simply use the zero-knowledge simulator as the cheating prover for theresultant 2-round protocol. Indeed, this idea is more general and extends to any k-round public-coinzero-knowledge proof (or argument), and hence already implies the insecurity of the Fiat-Shamirheuristic when applied to the sequential repetition of many basic 3-round zero-knowledge protocols,such as Blum’s protocol for Graph Hamiltonicity [Blu87].

In fact, Dwork et al. [DNRS99] showed that the above intuition also holds for much weaker defi-nitions of zero-knowledge. However, in all of their definitions, the simulator (and the distinguisher)were always required to be efficient. Indeed, this is crucial for their approach. This stands in sharpcontrast to our approach, where we consider super-polynomial time simulators and distinguishers.Nevertheless, we find it instructive to compare our approach with theirs.

1More generally, CS-proofs are 2-round arguments for any language in NEXP, and were initially defined in [Mic94]for languages in EXP.

4

Following the work of [DNRS99], Barak [Bar01] presented a constant-round public-coin zero-knowledge argument for which the Fiat-Shamir transformation is not sound. Later, Goldwasserand Kalai [GK03] presented such an example for a 3-round argument system. We note that both ofthese negative results are for arguments. In contrast, our results are also applicable to interactiveproofs.

In the context of interactive proofs, Barak, Lindell and Vadhan [BLV03] presented a securitydefinition for the Fiat-Shamir hash function, namely, entropy-preserving hash functions, which ifrealized, would imply the security of the Fiat-Shamir paradigm applied to any constant-roundpublic-coin interactive proof system. Barak et al. gave plausible conjectures under which thisnotion could be realized, but left open the problem of realizing it under standard complexityassumptions. Recently, Dodis, Ristenpart and Vadhan [DRV12] showed that under specific non-falsifiable assumptions regarding the existence of robust randomness condensers for seed-dependentsources, the definition of [BLV03] can be realized. Our results show that the security notionof [BLV03] cannot be realized under falsifiable assumptions, using standard (i.e. black-box) prooftechniques.

Two-round zero-knowledge. Goldreich and Oren [GO94] showed the impossibility of con-structing 2-round zero-knowledge proofs (and arguments) for languages outside BPP. More gener-ally, their results extend in a straightforward manner to show the impossibility of constructing 2-round T -zero-knowledge2 proofs or arguments for T -hard languages, that are sound against cheatingprovers running in time poly(T (κ)). Our black-box impossibility result for 2-round zero-knowledge(see Theorem 3.1) can be viewed as an extension of their results since we also rule out achievingsoundness against polynomial-time cheating provers (based on T -hard falsifiable assumptions). In-deed this difference is crucial for obtaining our negative results. It is also interesting to compareTheorem 3.1 with the work of Pass [Pas03], who gave a positive result for 2-round zero-knowledgearguments where the underlying assumption is T ′-hard for T ′ that is strictly more than the run-ning time of the distinguisher (and strictly less than the running time of the simulator). Thus,Theorem 3.1 can be seen as essentially tight.

Succinct non-interactive arguments. The work of Gentry and Wichs [GW11] gives black-boximpossibility results for constructing succinct non-interactive arguments from falsifiable assump-tions. In particular, their results also imply the impossibility of proving the soundness of Micali’sCS-proofs via black-box reduction to a falsifiable assumption, against adaptive adversaries who maychoose the instances after the verifier’s first message is fixed. Indeed, ruling out non-adaptive ad-versaries (in the general context of succinct non-interactive arguments) was left as an open problemin [GW11]. As such, our negative result on CS-proofs provides a partial answer to their question.

We also note that our techniques for proving Theorem 3.1 are similar to [GW11]. In particular,we encounter some similar technical challenges as in [GW11], such as dealing with reductions that“lie” about the security parameter.

1.3 Concurrent Work

In a concurrent and independent work, Bitansky, Garg and Wichs [BGW12] give a similar butincomparable result to ours. Both works show that the soundness of the Fiat-Shamir heuristiccannot be proven via black-box reductions to a large class of “standard” assumptions. However,the two works approach the problem from two different technical angles: [BGW12] focuses on the

2Recall that in T -zero-knowledge protocols the simulator and the distinguisher run in time poly(T (κ)).

5

impossibility of entropy-preserving hash functions [BLV03] and the implied Fiat-Shamir impossibil-ity, whereas we show the impossibility of black-box reductions for proof systems satisfying a naturalhonest-verifier ZK requirement. The different techniques lead to two main differences in the endresults: The work of [BGW12] gives an impossibility result for a “universal” Fiat-Shamir compilerthat must preserve soundness when applied to any “3-round public-coin proof”. In contrast, wenot only show that a universal compiler cannot exist, but also show impossibility results for severalspecific proof systems. On the other hand, [BGW12] shows a separation from a larger class ofassumptions, consisting of “cryptographic games with an unbounded challenger”, whereas we showa separation from falsifiable assumptions where the challenger is efficient. A merged version of thetwo works [BDSK+13] will appear at TCC 2013.

1.4 Organization

The rest of this paper is organized as follows. We start by setting up notation and recallingsome important definitions in Section 2. In Section 3, we give a black-box impossibility resultfor two-round zero-knowledge arguments. Then, building on this result, we present our black-boximpossibility result for the Fiat-Shamir paradigm in Section 4, and for CS proofs in Section 5.

Notation Throughout this paper, we often use κ to denote the security parameter. A functionµ(·) is called negligible if for all polynomials p and all sufficiently large κ, µ(κ) ≤ 1/p(κ). We usenegl(·) to denote a negligible function. We say that an event E = E(κ) occurs with overwhelmingprobability if it occurs with probability 1− negl(κ).

2 Preliminaries

Definition 2.1. Two distribution families X = {Xκ}κ∈N and Y = {Yκ}κ∈N are said to be T -

indistinguishable (denoted by XT≈ Y) if for every circuit family D = {Dκ}κ∈N of size poly(T (κ)),

AdvX ,YD (S) def= |Pr[D(x) = 1]− Pr[D(y) = 1]| = negl(T (κ)),

where the probabilities are over x← Xκ and over y ← Yκ.

2.1 Hard Languages

Definition 2.2. For any T = T (κ), an NP language L is said to be T -hard if there exist twodistribution families X = {Xκ}κ∈N and X = {Xκ}κ∈N, and a PPT sampling algorithm Samp suchthat:

• For every κ ∈ N the support of Xκ is in L and the support of Xκ is in L.

• The distributions X and X are T (κ)-indistinguishable.

• The support of the sampling algorithm Samp consists of elements (x,w) such that R(x,w) = 1,and its projection to the first coordinate yields the distribution X = {Xκ}κ∈N .

Note that since Samp is efficient, the distribution family X is efficiently sampleable. Thereare no constraints on the size of the instances in Xκ or Xκ, however since X is efficientlysampleable each x← Xκ is of size at most poly(κ).

6

An NP language is said to be sub-exponentially hard if it is 2κ-hard.3

2.2 Zero-Knowledge Arguments

Definition 2.3. A 2-round argument system for an NP language L with corresponding relation Ris a tuple of efficient algorithms Π = (P,V = (V1,V2)) with syntax:

• ch = V1(1κ, x; r): On input a security parameter 1κ, an instance x, and randomness r, theverifier V1 outputs a challenge ch.

• π ← P(1κ, x, w, ch): On input a security parameter 1κ, an instance x together with a corre-sponding witness w, and a challenge ch, the prover P outputs an argument π. This algorithmmay be randomized.

• 0/1 = V2(1κ, x, r, π): On input a security parameter 1κ, an instance x, the randomness r(which is the same randomness as that of V1), and an argument π, the verifier V2 verifieswhether the argument π is correct. We call the output of V2, the output of V.

We require Π to satisfy the following properties:

Completeness: For all (x,w) ∈ R and for all κ ∈ N,

Pr[V2(1κ, x, r, π) = 1

∣∣∣∣ ch = V1(1κ, x; r)π ← P(1κ, x, w, ch)

]= 1− negl(κ),

where the probability is over the randomness r and over the randomness of the prover P.

Soundness: For all poly-size (cheating provers) P∗ = (P∗1 ,P∗2 ),

Pr

V2(1κ, x, r, π) = 1 ∧ x /∈ L

∣∣∣∣∣∣x← P∗1 (1κ)ch = V1(1κ, x; r)π ← P∗2 (1κ, x, ch)

= negl(κ),

where the probability is over the randomness r.

Definition 2.4. For any T = T (κ), we say that a 2-round argument system Π = (P,V) for anNP language L is (auxiliary-input) T -zero-knowledge if for every poly-size circuit V∗ there exists asimulator SV∗(1κ) of size poly(T (κ)) such that for every κ ∈ N, every instance x ∈ L of length atmost poly(κ) with a corresponding witness w, and every auxiliary input z ∈ {0, 1}poly(κ), it holdsthat for every non-uniform distinguisher D = {Dκ} of size poly(T (κ))∣∣ Pr[D ((P(w),V∗(z))(1κ, x)) = 1]− Pr[D (SV∗(1κ, x, z)) = 1]

∣∣ ≤ negl(T (κ)),

where (P(w),V∗(z))(1κ, x) denotes the view of the verifier V∗ after interacting with the honestprover on input security parameter κ, statement x ∈ L, auxiliary input z, and SV∗(1κ, x, z) denotesthe output of the simulator SV∗ on input (1κ, x, z).

3 Note that it should be hard for a poly(2κ)-time distinguisher to distinguish between elements in Xκ and elementsin Xκ, where these elements can be much longer than κ, and can be of length κε for any constant ε > 0 (thus, capturingthe sub-exponential hardness).

7

2.3 Falsifiable Assumptions and Black-Box Reductions

In what follows, we recall the notion of falsifiable assumptions as defined by Naor [Nao03]. Wefollow the formalization of Gentry and Wichs [GW11].

Definition 2.5. For T = T (κ), a T -hard falsifiable assumption consists of a PPT interactivechallenger C(1κ) that runs in time poly(κ) and a constant δ ∈ [0, 1). The challenger C interactswith a machine A and may output a special symbol win. If this occurs, A is said to win C. For anyadversary A, the advantage of A over C is defined as:

Adv(C,δ)A (T ) = |Pr[A(1κ) wins C(1κ)]− δ| ,

where the probability is taken over the random coins of A and C. The assumption associated withthe tuple (C, δ) states that for every (non-uniform) adversary A(1κ) running in time poly(T (κ)),

Adv(C,δ)A (T ) = negl(T (κ)).

If the advantage of A is non-negligible in T (κ) then A is said to break the assumption.

Definition 2.6. Let Π be a 2-round argument system. We say that the soundness of Π can beproven via a black-box reduction to a T (κ)-hard falsifiable assumption, if there is an oracle-accessmachine R(·) such that for every (possibly inefficient) Π-adversary P∗, the machine RP∗ runs intime poly(T (κ)) and breaks the assumption.

3 Black-Box Impossibilty for 2-Round Zero Knowledge

In this section, we give a black-box impossibility result for 2-round zero-knowledge arguments. Ourtheorem extends the negative result of Goldreich and Oren [GO94], and can be seen as essentiallytight, in view of the positive result of Pass [Pas03]. We refer the reader to Section 1.2 for acomparison of our result with [GO94] and [Pas03].

We now state our main technical theorem:

Theorem 3.1. For any T (κ) and any T -hard language L, there does not exist a 2-round argumentsystem Π for L such that:

• Π is (auxiliary-input) T -zero-knowledge, and

• the soundness of Π can be proven via a black-box reduction to a T -hard falsifiable assumption,

unless the assumption is false.

Theorem 3.1, which we believe to be of independent interest, is also the starting point for ourimpossibility results for the Fiat-Shamir paradigm (see Section 4) and for CS proofs (see Section 5).

Proof Idea. Consider a 2-round argument system Π for a T -hard language L that is (auxiliary-input) T -zero-knowledge. We prove, by contradiction, that the soundness of Π cannot be provenvia a black-box reduction to a T -hard falsifiable assumption. Let n be a security parameter andsuppose that there exists a poly(T (n))-time black-box reduction R such that given black-box oracleaccess to any cheating prover P∗, uses this oracle to break a T (n)-hard falsifiable assumption. By

8

the definition of a T (n)-hard falsifiable assumption (see Definition 2.5) and the definition of ablack-box reduction (see Definition 2.6), we know the reduction R runs in time poly(T (n)).

By naturally extending Goldreich and Oren’s 2-round zero-knowledge impossibility result [GO94],we first prove that the T -zero-knowledge simulator S always produces an accepting transcript, evenwhen given a statement x ∈ L (see Lemma 3.2). Thus, we may view S as a cheating prover. Thismeans that R breaks the assumption when given oracle access to S (and S is given x ∈ L). Forbrevity, we say that RS(x∈L) breaks the assumption. However, we must be careful because thereduction R may “lie” about the security parameter and run S with security parameter κ 6= n.Throughout the proof will denote by n the security parameter of the underlying falsifiable assump-tion, and denote by κ the security parameter that the reduction uses when calling S (though thereduction R may call S many times with different security parameters). Note that the bound onthe running time of R means κ ≤ T (n).

Our approach is to show that oracle access to S(x ∈ Lκ) can be simulated in time poly(T (n))regardless of the value of κ. If κ ≤ n then S(x ∈ Lκ) runs in time poly(T (k)) ≤ poly(T (n)) andwe are done. However, if κ > n then we show that if RS(x∈Lκ) breaks the assumption then so doesRP(x∈Lκ,w), where w is a valid witness for x ∈ Lκ and P is the honest prover. Since P(x ∈ Lκ, w)runs in time poly(κ) ≤ poly(T (n)), this means we can simulate S(x ∈ Lκ) in time poly(T (n)).

We now proceed to give the formal proof.

Proof. As a first step in the proof of Theorem 3.1, we prove the following lemma.

Lemma 3.2. For any T (κ), any T -hard language L (w.r.t. distributions X , X ), and any 2-roundargument system Π = (P,V) for L that is (auxiliary-input) T -zero-knowledge, the following holds.Let V∗ be the verifier that on auxiliary input z simply outputs z as its challenge ch. Let SV∗ bethe corresponding (auxiliary-input) zero-knowledge simulator. Then, for every (possibly cheating)verifier V of size poly(T (κ)),

{Viewκ}T≈ {SimViewκ}

where Viewκ and SimViewκ are defined as follows.

Viewκ = (1κ, x, r, π)

where (x,w) ← Samp(1κ), r is randomly chosen, ch = V(1κ, x; r), and π = P(1κ, x, w, ch). Simi-larly,

SimViewκ = (1κ, x, r, π)

where x ← Xκ, r is randomly chosen, ch = V(1κ, x; r), and π ← SV∗(1κ, x, ch), where V∗ is thecheating verifier who takes ch as auxiliary input, and simply sends ch to the prover.

We note that the proof of this lemma builds upon ideas of Goldreich and Oren [GO94].

Proof. Let V be any (possibly cheating) PPT verifier for Π. We first argue that by the (auxiliary-input) T -zero-knowledge property of Π w.r.t. non-uniform distinguishers, it must be the case that

{Viewκ}T≈ {SimView′κ} (3.1)

where SimView′κ is defined exactly as SimViewκ, with the only difference being that x ← Xκ.Namely, SimView′κ = (1κ, x, r, π), where x ← Xκ, r is randomly chosen, ch = V(1κ, x; r), and

9

π ← SV∗(1κ, x, ch). We note that Equation (3.1) actually holds for every x in the language (asopposed to only for x distributed according to Xκ).

This is the case since otherwise there exists a (non-uniform) distinguisher D that runs in timepoly(T (κ)), and given a transcript (1κ, x, ch, π), and auxiliary input r such that ch = V(1κ, x; r),distinguishes between a simulated transcript (1κ, x, ch, π) ← SV∗(1κ, x, ch) and a real transcript(1κ, x, ch, π) ← (P(w),V∗(ch))(1κ, x) with non-negligible probability (in T (κ)), contradicting theT -zero-knowledge property.

We now claim that the fact that the language is T -hard w.r.t. X and X , implies that

{SimView′κ}T≈ {SimViewκ}. (3.2)

This is the case, since if there exists a poly(T (κ))-size distinguisher D that distinguishes betweenthese two views with non-negligible probability (in T (κ)), then there exists a poly(T (κ))-size adver-sary A that distinguishes between x ← Xκ and x ← Xκ with non-negligible probability (in T (κ)),contradicting the T -hardness of L.

Upon receiving an instance z, where z ← Xκ or z ← Xκ, the adversary A chooses r at random,computes ch = V(1κ, z; r), computes π ← SV∗(1κ, z, ch), and outputs D(1κ, z, r, π). By the defini-tion of D, the adversary A indeed distinguishes between x ← Xκ and x ← Xκ with non-negligibleprobability (in T (κ)), contradicting the T -hardness of L.

Equations (3.1) and (3.2) together imply that

{Viewκ}T≈ {SimViewκ}

as desired.

Proof of Theorem 3.1: Fix any T = T (κ) and any T -hard language L (w.r.t. distributions X , X ).Let Π = (P,V) be any 2-round argument system for L that is (auxiliary-input) T -zero-knowledge.Suppose that there exists a poly(T )-time black-box reduction R, that has black-box oracle accessto a cheating prover P∗, and uses this oracle to break the underlying T -hard falsifiable assumption.

By the definition of a T -hard falsifiable assumption (see Definition 2.5) and by the definition ofa black-box reduction (see Definition 2.6), the reduction R interacts with a challenger C(1n), it runsin time poly(T (n)), and it uses oracle access to P∗ to win the challenger’s game. Throughout thisproof we denote by n the security parameter of the underlying falsifiable assumption, and we denoteby κ the security parameter that the reduction uses when calling P∗ (though the reduction R maycall P∗ many times with different security parameters).

Loosely speaking, we prove that oracle access to the cheating prover P∗ can be simulated intime poly(T (n)), which implies that the underlying falsifiable assumption can be broken in timepoly(T (n)), thus contradicting T -hardness of the assumption.

To this end, let P∗ = (P∗1 ,P∗2 ) be the cheating prover, defined as follows: Upon receiving asecurity parameter 1κ the prover P∗1 (1κ) samples x ← Xκ, and upon receiving a challenge ch theprover P∗2 (1κ, x, ch) runs SV∗(1κ, x, ch) and returns the proof π output by SV∗ . Lemma 3.2, togetherwith the completeness property of Π (see Definition 2.3), implies that P∗ provides an acceptingtranscript with overwhelming probability (in κ).

At first sight, the reader may think that since Π is T -zero-knowledge, P∗ can be triviallysimulated in time poly(T (n)). However, note that R may query P∗ on any security parameter κ ofits choice. In particular, since R runs in time poly(T (n)), it may choose to query P∗ with security

10

parameter κ = T (n), in which case P∗ will run in time T (T (n)), which may be significantly largerthan T (n). For example, if T (n) is exponential in n then T (T (n)) is doubly exponential in n.

In order to prove that P∗ can be simulated in time poly(T (n)), we distinguish between simu-lating P∗ for (small) security parameters κ ≤ n, and simulating P∗ for (large) security parametersκ > n. For the former (κ ≤ n), P∗ can be perfectly simulated in time poly(T (n)), since P∗ runs intime poly(T (κ)) ≤ poly(T (n)).

We next use Lemma 3.2 to argue that P∗ can also be simulated in time poly(T (n)) for κ > n.In this case, the simulation will not be perfect, but rather computational, w.r.t. poly(T (n))-timedistinguishers. In particular, we will argue that if R breaks the assumption with oracle accessto P∗, it will also break the assumption with oracle access to the simulated version of P∗.

Let P be a simulated version of P∗, defined as follows: Upon receiving a security parameter 1κ,the prover P samples (x, w) ← Samp(1κ), and sends x to R; and upon receiving a challenge ch(corresponding to x) from the reduction R, the prover P sends π ← P2(1κ, x, w, ch) to R.

Note that P(1κ) runs in time poly(κ). Furthermore, the fact that the reduction R runs in timeat most poly(T (n)) implies that κ ≤ poly(T (n)). Thus P runs in time at most poly(T (n)), asdesired. It remains to argue that if RP∗ wins the challenger’s game with probability ε then RPwins the challenger’s game with probability ε/2. We will prove the following stronger claim.

Claim 3.3. For any oracle machine M(1n) running in time poly(T (n)),

MP∗(1n)T≈MP(1n),

assuming M(1n) queries its oracle only with security parameters κ > n.

Note that this claim immediately implies that RP wins the challenger’s game with probabilityat least ε/2 (and it actually implies that RP wins with probability ε − negl(T (n))). To this end,consider the poly(T (n))-time oracle machineM, that simulates the interaction between R and thechallenger of the underlying falsifiable assumption “in his belly”, and outputs 1 if and only if Rwins the challenger. Note that ifM has oracle access to P∗ it will output 1 with probability ε, andtherefore Claim 3.3 implies that if M has oracle access to P it must output 1 with probability atleast ε− negl(T (n)). Thus it remains to prove Claim 3.3, which follows from Lemma 3.2 togetherwith a standard hybrid argument.

Proof of Claim 3.3. Fix a poly(T (n))-time oracle machine M(1n). Let q ≤ poly(T (n)) be anupper bound on the number of times that M invokes its oracle. We define a sequence of q + 1oracles: H0,H1, . . . ,Hq, where Hi is defined to be the oracle that behaves exactly like P∗ duringthe first i runs of Π, and behaves exactly like P during the remaining runs of Π. Note that H0 = Pand Hq = P∗. A standard hybrid argument implies that it suffices to prove that for every i ∈ [q],

MHi(1n)T≈MHi−1(1n). (3.3)

To this end, fix any i ∈ [q], and suppose for the sake of contradiction that (3.3) does not hold.Namely, suppose that there exists a (non-uniform) poly(T (n))-time distinguisher D such that∣∣ Pr[D(MHi(1n)) = 1]− Pr[D(MHi−1(1n)) = 1]

∣∣ ≥ δ(n),

where δ(n) is a non-negligible function of T (n). We construct a (non-uniform) poly(T (n))-sizedistinguisher that contradicts Lemma 3.2.

11

To this end, recall that both the oracles Hi and Hi−1 behave exactly like P∗ for the first i− 1proofs, and behave exactly like P from the i+1’st proof and onwards. Therefore, there exists somefixing of the first i − 1 interactions between M and P∗, such that conditioned on this fixing, Dstill succeeds in distinguishing between MHi(1n) and MHi−1(1n). Namely, denote by st the stateof M after invoking the P∗ oracle i − 1 times. Then there exists a state st ∈ {0, 1}poly(T (n)), andthere exists a poly(T (n))-time oracle machine Mst that invokes it oracle at most q − i + 1 times,such that ∣∣ Pr[D(MH

st) = 1]− Pr[D(MPst) = 1]∣∣ ≥ δ(n),

where H behaves exactly like P∗ during the first proof, and behaves exactly like P during the restof the proofs.

Note that P runs in time poly(κ) ≤ poly(T (n)), and thus Mst can simulate this oracle on itsown. Namely, there exists a poly(T (n))-time oracle machine Mst as above, that invokes its oracleonly once, and simulates the rest of the oracle calls on its own. In other words, there exists apoly(T (n))-time oracle machine Mst such that∣∣ Pr[D(MP∗st ) = 1]− Pr[D(MPst) = 1]

∣∣ ≥ δ(n), (3.4)

whereMst queries its oracle with security parameter κ > n. Note that the view ofMP∗st is exactlySimViewκ with V = Mst. Similarly the view of MPst is exactly Viewκ with V = Mst. Moreover,the distinguisher D runs in time poly(T (n)) ≤ poly(T (κ)), and distinguishes with probability δ(n),which is non-negligible in T (n), and thus is non-negligible in T (κ). Therefore, Equation (3.4)contradicts Lemma 3.2.

4 Black-Box Impossibility for Fiat-Shamir Paradigm

In this section we give black-box impossibility results for the soundness of the Fiat-Shamir paradigm.Our results are applicable to both proofs and arguments. Moreover, our results are applicable bothin the original setting of 3-round identification protocols, and more generally are applicable toconstant round public-coin protocols (with certain properties).

For the sake of simplicity of notation, we present our results for the case of 4-round public-coinprotocols. We note that although our techniques generalize to constant-round protocols, the caseof 4-rounds already covers many interesting applications of the Fiat-Shamir paradigm, as presentedin Section 4.1 and Section 5.

Let us first recall the Fiat-Shamir paradigm when applied to 4-round public-coin protocols. LetΠ = (P,V) be a 4-round public-coin proof (or argument) system for an NP language L. We denoteits transcripts by (h, α, β, γ), where h, β are the messages sent by the verifier, and α, γ are themessages sent by the prover. Let {HFS

κ }κ∈K be an ensemble of hash functions. We define ΠFS to bethe resulting 2-message protocol obtained by applying the Fiat-Shamir transformation to Π usinghFS ← HFS

κ . More formally, ΠFS = (PFS,VFS) is presented in Figure 4.1.Next we define special honest-verifier (auxiliary-input) T -zero-knowledge. We will later show

the black-box impossibility results for protocols which have this property.

Definition 4.1. For any T = T (κ), we say that a 4-round public-coin proof (or argument) systemΠ = (P,V) for an NP language L is (auxiliary-input) special honest-verifier T -zero-knowledge if

12

Protocol ΠFS(1κ, x) for Language L

Prover’s Input: Statement x and a witness w for x ∈ L.

Verifier’s Input: Statement x.

VFS → PFS: The verifier VFS chooses a random first message h for the protocol Π and chooseshFS ← HFS

κ . It sends (hFS, h) to the prover PFS.

PFS → VFS: The prover PFS simulates an execution with the prover P of Π in the following way:

• Choose a random tape for P and continue the emulation of (P,V) by running P on firstmessage h. Let α be the second message sent by P in Π.

• Compute hFS(α) = β.

• Continue the emulation of P assuming P received β as the third message from VFS.Let γ be the fourth message sent by P.

Send (α, β, γ) to the verifier VFS.

Verification: The verifier VFS accepts iff:

• hFS(α) = β.

• V accepts the transcript (h, α, β, γ).

Figure 4.1: The 2-round Collapsed Protocol ΠFS

there exists a simulator S(1κ) of size poly(T (κ)) such that for every κ ∈ N, every instance x ∈ L oflength at most poly(κ) with a corresponding witness w, every auxiliary input z ∈ {0, 1}poly(κ), andevery random tape (h, β) of the verifier it holds that for every non-uniform distinguisher D = {Dκ}of size poly(T (κ))∣∣ Pr[D ((P(w),V(z, h, β))(1κ, x)) = 1]− Pr[D (S(1κ, x, z, h, β)) = 1]

∣∣ ≤ negl(T (κ)),

where (P(w),V(z, h, β))(1κ, x) denotes the view of the honest verifier V after interacting with thehonest prover on input security parameter κ, statement x ∈ L, auxiliary input z, and random tape(h, β), and S(1κ, x, z, h, β) denotes the output of the simulator S on the corresponding inputs.

We note that special honest verifier zero knowledge differs from honest verifier zero knowledgesince the simulator must successfully simulate the view of the honest verifier for every given randomtape (h, β).

We now state the main theorem of this section:

Theorem 4.2. For any T (κ) and any T -hard language L, let Π be a 4-round public-coin proof (orargument) system for L with 2|β| ≤ T (κ) which is special honest verifier (auxiliary input) T -zeroknowledge. Then, the soundness of ΠFS cannot be proven via a black-box reduction to a T -hardfalsifiable assumption (unless the assumption is false).

13

Note that many public-coin proof (or argument) systems (such as those discussed in Section 4.1)consist of ` parallel repetitions of a basic protocol where the length of the verifier’s message is aconstant number of bits (or may depend logarithmically on the size of the instance x). To save oncommunication, it is desirable to repeat the protocol only ` = poly log(κ) times, since this alreadyachieves negligible soundness error. For such protocols, Theorem 4.2 implies that if the languageL is quasi-polyomially hard, then the Fiat-Shamir transformation applied to this protocol cannotbe proven sound via a black-box reduction to a falsifiable assumption.

Given Theorem 4.2, one may hypothesize that the Fiat-Shamir transformation, when appliedto protocols of the type discussed above, can in fact be proven secure (via a black-box reductionto a falsifiable assumption) when the number of parallel repetitions is increased to ` = poly(κ).However, we show that this is not the case; for many protocols of interest, the impossibility resultholds even when the number of repetitions `, is greater than the hardness of the language.

Corollary 4.3. Let L be a sub-exponentially hard language and let Π be a 4-round public-coin proof(or argument) system for L with the following properties:

• The length of the third message, β, is polynomial in the security parameter, κ, and is inde-pendent of the length of the instance, x.

• Π is special honest verifier (auxiliary input) 2|β|-zero knowledge.

Then, the soundness of ΠFS cannot be proven via a black-box reduction to a 2|β|-hard falsifiableassumption (unless the assumption is false).

Corollary 4.3 follows from Theorem 4.2, as follows. Recall that a language is said to be sub-exponentially hard if it is T -hard for T (κ) = 2κ (see Definition 2.2). Namely, if there exist dis-tributions Xκ and Xκ over strings of length poly(κ) that are 2κ-indistinguishable, where Xκ is adistribution over instances in the language and Xκ is a distribution over instances outside the lan-guage. Note that the length of these instances can be much larger than κ, and can be of lengthκ1/ε for any constant ε > 0.

We argue that any sub-exponentially hard language is also 2p(κ)-hard, for any polynomial p.This follows by simply taking X ′κ = Xp(κ) and by taking X ′κ = Xp(κ). Using this observation,Corollary 4.3 follows immediately from Theorem 4.2 by choosing T (κ) = 2p(κ) such that |β| = p(κ).

4.1 Applications of Theorem 4.2 and Corollary 4.3

Typically (or at least traditionally), the Fiat-Shamir paradigm is applied to 3-round identificationschemes, or more generally to what are called Σ-protocols. All these protocols are special honest-verifier zero-knowledge (see Definition 4.1). Therefore, Theorem 4.2 and Corollary 4.3 imply (black-box) negative results for the Fiat-Shamir paradigm when applied to any such protocol. In whatfollows we give two specific examples, keeping in mind that there are many other natural examplesthat we do not mention.

Perfect Zero-Knowledge Protocol for Quadratic Residuosity. Recall the language LQR ofquadratic residues.

LQR = {(N, y) | ∃x ∈ Z∗N s.t. y = x2 mod N}

This language is assumed to be hard w.r.t. distributions Xκ and Xκ, defined as follows. In bothdistributions, N is sampled by sampling two random κ-bit primes p and q, and setting N = pq; in

14

Xκ, the element y is a random quadratic residue, and in Xκ the element y is a random quadraticnon-residue with Jacobi symbol 1.

Recall the well-known perfect zero-knowledge Σ-protocol for quadratic residuosity with sound-ness 1/2 [Blu81]. We denote by Π`-QR the perfect special honest-verifier zero-knowledge protocolconsisting of ` parallel executions of the basic Σ-protocol. We denote by ΠFS(`-QR) the protocolobtained when applying the Fiat-Shamir paradigm to Π`-QR. By applying Corollary 4.3, we obtainthe following theorem:

Theorem 4.4. For any ` = `(κ) = poly(κ), if LQR is sub-exponentially hard then the soundnessof ΠFS(`-QR) cannot be proven via a black-box reduction to a falsifiable assumption (unless theassumption is false).

Blum’s Zero-Knowledge Protocol for NP. Recall the well-known Σ-protocol for NP of Blum[Blu87], based on the NP-complete problem of Graph Hamiltonicity, with soundness 1/2. We denoteby Π`-Blum the special honest-verifier zero-knowledge protocol consisting of ` parallel executions ofthe basic Σ-protocol. Note that Π`-Blum is special honest-verifier 2`-zero-knowledge, if the hidingproperty of the commitment scheme holds against 2`-size adversaries.4

We denote by ΠFS(`-Blum) the protocol obtained when applying the Fiat-Shamir paradigm toΠ`-Blum. By applying Corollary 4.3, we obtain the following theorem:

Theorem 4.5. For any ` = `(κ) = poly(κ), if there exist NP languages L which are sub-exponentially hard, and if ΠFS(`-Blum) is instantiated with a commitment scheme whose hiding prop-erty holds against 2`-size adversaries, then the soundness of ΠFS(`-Blum) cannot be proven via ablack-box reduction to a falsifiable assumption (unless the assumption is false).

As noted above, one can apply Theorem 4.2 or Corollary 4.3 to many other Σ protocols (suchas the ones based on the DDH assumption or on the N ’th residuosity assumption), and obtain(black-box) negative results for the soundness of the resulting protocols obtained by applying theFiat-Shamir paradigm.

The case of interactive arguments. We note that if the underlying NP language is not sub-exponentially hard, and instead only quasi-polynomially hard (e.g., when T = κlog κ), then ournegative results only hold when the length of the verifier’s message is logarithmic in the hardnessof the language.

We note, however, that for many Σ-protocols which have the (standard) structure, where thefirst message sent by the prover is a commitment, the second message sent by the verifier is somequery, and the third message sent by the prover is some decommitment information (such as inBlum’s protocols presented above), then the following holds: If the protocol Π is for a T -hardlanguage, and if the underlying commitment scheme is a (public-coin) commitment scheme whosebinding property can be broken in time T but the hiding property holds against time poly(T )-adversaries, then for any ` = poly(κ), the soundness of ΠFS(`) cannot be proven via a black-boxreduction to a T -hard falsifiable assumption. This follows from the fact that we can prove thatΠFS(`) is T -zero-knowledge by constructing a simulator that runs in time T and breaks the bindingproperty of the underlying commitment scheme.

4Recall that for a protocol to be special honest-verifier 2`-zero knowledge, the simulated view needs to be 2`-indistinguishable from the real view (see Definition 4.1).

15

4.2 Proof of Theorem 4.2

Theorem 4.2 follows from the following lemma and from Theorem 3.1:

Lemma 4.6. Let Π be a 4-round public-coin proof or argument system for a T (κ)-hard languageL with the following properties:

• The length of the third message, β, satisfies 2|β| ≤ T .

• Π is special honest verifier (auxiliary input) T -zero knowledge.

Then ΠFS is (auxiliary-input) T -zero-knowledge.

In the remainder of this section we prove Lemma 4.6.

Proof of Lemma 4.6. Let S be the special honest verifier T -zero-knowledge simulator for Π. LetV∗ be any non-uniform PPT adversary for ΠFS. We construct a T -zero-knowledge simulator SFS

that simulates the view of V∗, as follows:

Simulator SFS: On input a security parameter 1κ, a statement x ∈ L of length poly(κ), andauxiliary input z ∈ {0, 1}poly(κ), the simulator SFS proceeds as follows:

1. SFS begins an internal emulation of ΠFS with V∗.

2. Upon receiving (hFS, h) from V∗, SFS repeats the following at most T 2 ≥ 22|β| times:

• Sample a transcript (h, α, β, γ) by choosing β uniformly at random and running S(1κ, x, z, h, β).

• If β = hFS(α), continue the emulation of ΠFS by returning the message (α, β, γ) to V∗,on behalf of the honest prover.

3. If SFS does not find a matching transcript after 22|β| iterations, it halts and outputs ⊥.

4. Otherwise, SFS halts and outputs ViewV∗ , the view of V∗.

We claim that for every instance x ∈ L of length at most poly(κ) with a corresponding witness w,and every auxiliary input z ∈ {0, 1}poly(κ), it holds that for every non-uniform distinguisher D ={Dκ} of size poly(T (κ))∣∣ Pr[D

((PFS(w),V∗(z))(1κ, x)

)= 1]− Pr[D

(SFSV∗(1

κ, x, z))

= 1]∣∣ ≤ negl(T (κ)).

This will immediately imply that ΠFS is auxiliary-input T -zero-knowledge.Assume towards contradiction that for infinitely many κ ∈ N there exists some instance x ∈ L of

length at most poly(κ), some auxiliary input z ∈ {0, 1}poly(κ), and some non-uniform distinguisherD of size poly(T (κ)) distinguishing the above with advantage 1

p(T (κ)) , for some polynomial p(·). Weshow that for corresponding κ ∈ N, instances x ∈ L of length at most poly(κ), auxiliary inputsz ∈ {0, 1}poly(κ), and for some random tape (h, β), there exists a non-uniform distinguisher D′ ofsize poly(T (κ)) such that∣∣ Pr[D′ ((P(w),V(z, h, β))(1κ, x)) = 1]− Pr[D′ (S(1κ, x, z, h, β)) = 1]

∣∣ ≥ 1p′(T (κ))

,

16

for some polynomial p′(·). This contradicts the honest verifier T -zero-knowledge property of Π.Instead of constructing D′ as above, we construct a distinguisher D∗ that for some val =

((h1, β1), . . . , (hT 2 , βT 2)) distinguishes with non-negligible probability 1p∗(T (κ)) = 1

2p(T (κ)) (for in-finitely many κ’s) between

REAL(1κ, x, w, z, val) def= ((P(w),V(z, h1, β1))(1κ, x), . . . , (P(w),V(z, hT 2 , βT 2))(1κ, x))

andSIM(1κ, x, z, val) def= (S(1κ, x, z, h1, β1), . . . ,S(1κ, x, z, hT 2 , βT 2)) .

Since Π is special honest verifier zero-knowledge even against non-uniform distinguishers, it isstraightforward to show via a standard hybrid argument that the existence of D∗ implies theexistence of D′ as above.

We now proceed to construct D∗, given D as above. Consider the following distinguisher D∗:

D∗: On input a security parameter 1κ, a statement x ∈ L of size poly(κ), and an auxiliary inputz ∈ {0, 1}poly(κ), the distinguisher D∗ does the following:

1. Sample a random tape r for V∗ and compute (hFS, h)← V∗(1κ, x, z; r). Additionally, sample(β∗1 , . . . , β∗T 2) uniformly at random and set val =

((h, β∗1), . . . , (h, β∗T 2)

).

2. Submit val to the external challenger and receive views

(View1, . . . ,ViewT 2) =((h, α∗1, β

∗1 , γ∗1), . . . , (h, α∗T 2 , β

∗T 2 , γ

∗T 2)

)drawn from either REAL(1κ, x, w, z, val) or SIM(1κ, x, z, val).

3. Find the first i such that β∗i = hFS(α∗i ).

4. If there is no such i, then halt and output ⊥.

5. Otherwise, set the view of V∗ to be ViewV∗ = (α∗i , β∗i , γ∗i , r), and output D(ViewV∗).

It is clear by the description above that D∗ has size poly(T ).We next claim that∣∣ Pr[D∗(REAL(1κ, x, w, z, val)) = 1]− Pr[D∗(SIM(1κ, x, z, val)) = 1]

∣∣ ≥ 12p(T (κ))

.

It is straightforward to see that when (View1, . . . ,ViewT 2) are drawn from SIM(1κ, x, z, val),the distribution of ViewV∗ generated by D∗ is identical to the output distribution of SFS

V∗ .On the other hand, we show that when (View1, . . . ,ViewT 2) is drawn from REAL(1κ, x, w, z, val)

the distribution of ViewV∗ generated by D∗ is 12p(T (κ)) -close to the view of V∗ when running

(PFS(w),V∗(z))(1κ, x).Since we have assumed that D distinguishes the output of SFS

V∗ and (PFS(w),V∗(z))(1κ, x) withadvantage at least 1

p(T (κ)) , this immediately implies that D∗ distinguishes with advantage at least1

2p(T (κ)) .Note that if we allow D∗ to request arbitrarily many views from (P(w),V(z, h, β∗))(1κ, x)),

where β∗ is chosen independently and uniformly at random, until it obtains a view View =

17

(α∗, β∗, γ∗) such that h(α∗) = β∗, then the view ViewV∗ outputted by D∗ is identically distributedto the view ViewV∗ outputted by (PFS(w),V∗(z))(1κ, x).

Thus, the statistical distance between the distribution over views ViewV∗ generated by D∗

and the distribution over views ViewV∗ generated by (P(w),V(z))(1κ, x) is upper bounded by theprobability that D∗ does not find an i, 1 ≤ i ≤ T 2, such that h(α∗i ) = β∗i .

Now, note that for (View1, . . . ,ViewT 2) =((h, α∗1, β

∗1 , γ∗1), . . . , (h, α∗T 2 , β

∗T 2 , γ

∗T 2)

)drawn from

REAL(1κ, x, w, z, val) each β∗i is independent of α∗i , and is uniformly distributed. Therefore, forany fixed Fiat-Shamir hash hFS and for each i, the event that hFS(α∗i ) = β∗i is an independentevent, and the probability of each such event is exactly 1

2|β|≥ 1

T (κ) . Thus, the probability that D∗

does not find an i, 1 ≤ i ≤ T 2, such that hFS(α∗i ) = β∗i , when (View1, . . . ,ViewT 2) is drawn fromREAL(1κ, x, w, z, val), is at most(

1− 1T (κ)

)T 2(κ)

≤ exp(−T (κ)) ≤ 12p(T (κ))

.

This concludes the proof of Lemma 4.6.

5 Separating CS Proofs from Falsifiable Assumptions

In this section we show that for sufficiently hard NP languages, there exist PCPs such that Micali’sCS proofs [Mic94] instantiated with such a PCP cannot be proven sound via a black-box reductionto any falsifiable assumption. This section is organized as follows. We first setup notation andrecall some relevant definitions in Section 5.1. Then, in Section 5.6, we present our black-boximpossibility result.

5.1 Preliminaries

5.2 Hash Functions

Definition 5.1. Let X and Y be two sets, and let Huniv be a family of functions from X to Y .We say that Huniv is a universal family of hash functions if for any two elements x1, x2 ∈ X s.t.x1 6= x2, and for any two elements y1, y2 ∈ Y ,

Prh∈Huniv

[h(x1) = y1 ∧ h(x2) = y2] =1|Y |2

Definition 5.2. Let {Hcrhκ }κ∈N be a class of functions where every h ∈ Hcrh

κ maps t(κ) bits to κbits. We say that {Hcrh

κ }κ∈N is a collision-resistant hash (CRH) if for every κ ∈ N, and everypoly(κ)-size adversary A,

Prh←Hcrh

κ

[x 6= yh(x) = h(y)

∣∣∣(x, y)← A(h)]≤ negl(κ)

5.3 Statistically Hiding Commitments

Definition 5.3. A 2-round statistically hiding bit commitment scheme Πcom = (C,R) between asender C = (com,open) and a receiver R = (R1, R2) consists of two phases, namely, the Commitphase and the Opening phase, with syntax:

18

Commit phase: On input a security parameter 1κ and randomness rR, the receiver R computesthe first message h← R1(1κ; rR) and sends it to the committer C. To commit to a bit b, thecommitter C runs the commit algorithm com on input (h, b) and randomness rC to computec← com(1κ, h, b; rC). C sends c to R.

Opening phase: In order to decommit to bit b, the committer C runs the opening algorithmz = open(1κ, b, c, rC) and sends its output z to R. The receiver R outputs b′ ← R2(1κ, c, z, rR)as the opened bit.

We require Πcom to satisfy the following two properties:

Statistically Hiding: The commitment scheme Πcom is said to be s(κ)-hiding if for all κ ∈ N,the distributions View〈C(0),R〉(1κ) and View〈C(1),R〉(1κ) are s(κ)-close, where View〈C(b),R〉(1κ)denotes the view of R when interacting with C(1κ, b) (this view simply consists of R’s randomcoins and the messages it receives from C). In particular, when s(κ) = negl(κ), then Πcom issaid to be statistically hiding.

Computational Binding: For all poly-size (cheating senders) C∗,

Pr[∀b ∈ {0, 1}, R2(1κ, c, zb, rR) = b

∣∣∣∣ h← R1(1κ; rR)(c, z0, z1)← C∗(1κ, h)

]≤ negl(κ),

where the probability is over the randomness rR of the receiver R.

Statistically Hiding Commitments from CRH. We briefly recall the statistically hiding bitcommitment scheme Πcom = (C,R) of Halevi and Micali [HM96].

Let {Hcrhκ }κ∈N be a CRH where every h ∈ Hcrh

κ maps t(κ) bits to κ bits. Let Huniv be a universalfamily of hash functions where every huniv ∈ Huniv maps t(κ) bits to 1-bit. The commitment schemeΠcom is described as follows. The receiver R’s message is a uniformly chosen h← Hcrh

κ . To committo a bit b, the commitment algorithm com generates a uniformly chosen huniv ← Huniv and a randomstring z of length t(κ) s.t. huniv(z) = b. It then computes y = h(z) and outputs c = (y, huniv).Finally, to decommit to b, the opening algorithm open simply outputs z.

We now recall the following theorem from [HM96]:

Theorem 5.4 (Halevi-Micali [HM96]). For every κ ∈ N, the bit commitment scheme Πcom is2−(t(κ)−κ−6)/3 hiding.

5.4 Merkle Trees

Merkle tree hashing [Mer89] is a technique that allows the computation of a succinct commitmentto a long string π and a succinct decommitment to any bit of π. In what follows, we give a briefinformal description of the Merkle Tree hashing algorithm.

Let h ← Hcrhκ be a randomly chosen hash function that maps t(κ) bits to κ bits. Then, the

commitment and opening algorithms are described as follows:

commt(1κ, π, h): Divide π into p = |π|/t(κ) parts, each of length t(κ), and evaluate the hashfunction h over each part. Repeat the operation on the resultant string, and so on, until a singleκ-bit string c is obtained. Output (c, d) as the succinct commitment, where d is the depth of theresulting tree.

19

openmt(1κ, π, h, i): In order to decommit to the ith bit πi of the string π, output πi along withall the hash values on the path, pathi, from the leaf πi to the root c. In addition, output all the“necessary information” to verify these hash values. This information consists of t(κ) bits for eachlevel j ∈ [d], such that when applying the hash h to this t(κ)-bit string we get the j’th hash valuein pathi. Note that all-in-all, the output is of length t · d. From now on we abuse notation, andlet ρi = (πi, pathi) denote the entire output. (We remark that we have explicitly added πi to theopening for clarity of exposition.)

Informally speaking, we say that an opening ρi = (πi, pathi) is valid if one can compute the(committed) root value c from pathi by repeated evaluations of the hash h.

5.5 Probabilistically Checkable Proofs

Definition 5.5 (`-query PCP). An ` = `(κ)-query efficient probabilistically checkable proof (PCP)for an NP language L with corresponding relation R is a tuple of efficient algorithms Πpcp =(Ppcp,Vpcp = (V1

pcp,V2pcp)) with syntax:

• π ← Ppcp(1κ, x, w): On input a security parameter 1κ, and an instance x, together with acorresponding witness w, the prover Ppcp outputs a proof π. This algorithm may be random-ized.

• 0/1 ← Vπpcp(1

κ, x; r): The verifier first uses randomness r to generate an `-size query setq ← V1

pcp(1κ, x, r) denoted by q = {q1, . . . , q`}, and then queries the proof π at the locations

q1, . . . , q` to obtain `-sized string πq = (πq1 , . . . , πq`), where πqi represents the qth

i bit of π. Itthen outputs V2

pcp(1κ, x, q, πq) as its decision.

We require Πpcp to satisfy the following properties:

Completeness: For all κ ∈ N and (x,w) ∈ R,

Pr[Vπ

pcp(1κ, x) = 1

∣∣π ← Ppcp(1κ, x, w)]≥ 1− negl(κ),

where the probability is over the randomness of the prover Ppcp and verifier Vpcp.

Soundness: For all κ ∈ N and any (unbounded) cheating prover P∗pcp,

Pr[V π

pcp(1κ, x) = 1 ∧ x /∈ L

∣∣(x, π)← P∗pcp(1κ)

]≤ negl(κ),

where the probability is over the randomness of the verifier Vpcp.

Remark 5.6 (Verifier’s random coins). We assume, without loss of generality, that the number ofrandom bits used by the query generation algorithm V1

pcp of the PCP verifier, is at most the numberof queries `(κ).

Definition 5.7 (T -Zero Knowledge PCP). A PCP Πpcp = (Ppcp,Vpcp = (V1pcp,V2

pcp)) for an NPlanguage L is said to be T = T (κ) zero-knowledge if there exists a simulator Spcp of size at mostpoly(T (κ)) such that for every κ ∈ N, every instance x ∈ L of length at most poly(κ), with acorresponding witness w, every randomness r of the verifier producing a query q ← V1

pcp(1κ, x, r),

we have that (r, πSq ) and (r, πq) are T (κ)-indistinguishable, where πSq ← Spcp(1κ, x, r) and πq is theanswer to query q determined from π ← Ppcp(1κ, x, w).

We note that the work of Dwork et al. [DFK+92] gives the construction of perfect zero-knowledgePCPs (as per the above definition) for NP with negligible soundness error when ` = ω(log κ).

20

5.6 CS Proofs

In this section we show that for sufficiently hard NP languages, there exist PCPs such that Micali’sCS proof, instantiated with such PCPs, cannot be proven sound via a black-box reduction to anyfalsifiable assumption.

Since Micali’s CS proofs are obtained by applying the Fiat-Shamir heuristic on Kilian’s 4-roundsuccinct argument [Kil92], we start by recalling Kilian’s protocol, denoted by Π = (P,V).

Kilian’s protocol. We first define some notation. Let Hcrhκ be a CRH where each h ∈ Hcrh

κ mapst(κ) bits to κ bits. Let (commt,openmt) denote the Merkle Tree hash commitment and openingalgorithms. For any NP language L, let Πpcp = (Ppcp,Vpcp = (V1

pcp,V2pcp)) be an `(κ)-query PCP.

Kilian’s 4-round protocol Π is given in Figure 5.1.

Parameters: Security parameter κ.

Prover’s Input: Statement x and a witness w for x ∈ L.

Verifier’s Input: Statement x.

V → P: V chooses h← Hcrhκ at random and sends h to P.

P → V: P performs the following steps:

• Run the PCP prover algorithm Ppcp on input (x,w) (and uniformly chosen randomness,if necessary) to compute the proof string π ← Ppcp(1κ, x, w).

• Run the Merkle Tree hash commitment algorithm commt on input (π, h) to computethe succinct commitment c← commt(1κ, π, h).

P sends c to V.

V → P: V chooses random coins r for the PCP verifier Vpcp and sends r to P.

P → V: P performs the following steps:

• Compute the PCP verifier Vpcp’s query set q = {q1. . . . , q`} ← V1pcp(1

κ, x, r).

• Run the Merkle Tree hash opening algorithm openmt on inputs {qi}`i=1 to compute{ρi = openmt(1κ, π, h, qi)}`i=1. Let ρ = (ρ1, . . . , ρ`).

P sends ρ to V.

Verification: Let ρi = (πqi , pathqi). V accepts iff:

• ∀i ∈ [`], (πqi , pathqi) is valid with respect to q = V1

pcp(1κ, r).

• V2pcp(1

κ, x, q, πq) = 1, where πq = (πq1 , . . . , πq`).

Figure 5.1: Kilian’s 4-round succinct argument Π = (P,V)

21

(In)security of CS Proofs. Let ΠFS denote Micali’s 2-message CS proof system obtained byapplying the Fiat-Shamir transformation to Kilian’s protocol Π using hFS ← HFS

κ . For any NPlanguage L and any PCP, Πpcp, for L, Micali proved that Π is sound in the so called randomoracle model, where hFS is modeled as a random oracle. We now prove that for every 2`(κ)-hardlanguage L, there exists an `-query PCP such that the CS proof ΠFS for language L cannot beproven sound via a black-box reduction to any falsifiable assumption. More formally,

Theorem 5.8. For all ` = `(κ) and any 2`(κ)-hard language L, there exists an `-query PCP Πpcp

such that the soundness of CS proof ΠFS instantiated with Πpcp for language L cannot be provenvia a black-box reduction to a 2`(κ)-hard falsifiable assumption (unless the assumption is false).

The following corollary follows easily from Theorem 5.8, similarly to the way that Corollary 4.3follows from Theorem 4.2.

Corollary 5.9. For any sub-exponentially hard language L and for any ` = poly(κ), there existsan `-query PCP Πpcp such that the soundness of CS proof ΠFS instantiated with Πpcp for languageL cannot be proven via a black-box reduction to a 2`(κ)-hard falsifiable assumption (unless theassumption is false).

We give a high-level overview of the proof of Theorem 5.8. Let L be a 2`(κ)-hard language.Our main idea is to show that when Kilian’s 4-round succinct argument Π is instantiated with aspecific PCP (with some zero-knowledge properties), then it is a (special) honest verifier 2`(κ)-zeroknowledge argument for L, where the verifier’s second message is of length at most ` (see Remark5.6). This, when combined with Theorem 4.2 immediately yields the proof of Theorem 5.8.

A natural first idea towards showing that Kilian’s 4-round protocol Π is (special) honest verifier2`(κ)-zero knowledge is to simply instantiate it with a zero-knowledge PCP (see Definition 5.7).Unfortunately, this is not sufficient because zero-knowledge PCPs only guarantee that for a givenquery set q, the proof substring πq can be simulated. In Kilian’s protocol, however, the verifieralso obtains some information about the proof substring πq, where q is the set consisting of eachi ∈ [|π|]\q. Thus, we need to ensure that the “extra” information that is given about πq in Kilian’sprotocol Π can also be simulated.

We achieve this by making use of statistically hiding commitments. Specifically, given anyzero-knowledge PCP proof string π, we encode it into a new, larger PCP proof string, π, such thatthe hash values of π statistically hide the bits of π. More details are given in the formal proof ofTheorem 5.8 presented in Section 5.7.

5.7 Proof of Theorem 5.8

Let L be any 2`(κ)-hard NP language. Let Πzkpcp =

(Ppcp, Vpcp = (V1

pcp, V2pcp)

)be a 2`(κ) zero-

knowledge PCP for L. We first construct a PCP Πpcp =(Ppcp,Vpcp = (V1

pcp,V2pcp)

)as follows:

Prover Ppcp(1κ, x, w; rp): Run the algorithm Ppcp on input (x,w) (and randomness from rp, ifnecessary) to compute π ← Ppcp(1κ, x, w). Randomly choose a universal hash function huniv ←Huniv that maps t(κ) bits to a single bit. For every i ∈ [|π|], choose zi ← {0, 1}t(κ) at randoms.t. huniv(zi) = πi. Output π = (z1, . . . , z|π|, h

univ).

Verifier Vπpcp(1

κ, x; rv): First run the algorithm V1pcp with randomness rv, described as follows:

22

• q ← V1pcp(1

κ, x, rv): Run the algorithm V1pcp with randomness rv to compute the ˜-

sized query set q ← V1pcp(1

κ, x, rv) denoted by q = {q1, . . . , q˜}. For every i ∈ [˜], letui be the t(κ)-size set of locations {t(κ)(qi − 1) + 1, . . . , t(κ)qi}. Further, let v be the|huniv|-sized set of locations corresponding to the last |huniv| bits of π. Output queryset q = {u1, . . . , u˜, v}. (Note that by opening all the sets ui and v, we have thatq = {q1, . . . , q`}, where ` = t(κ)˜+ |huniv|.)

Now, query the proof π at all the locations in the query set q to obtain string πq, and runthe algorithm V2

pcp with input πq, described as follows:

• 0/1← V2pcp(1

κ, x, πq): Parse πq as (zu1 , . . . , zu˜, huniv), where for every i ∈ [˜], zui is the

t(κ)-sized substring of π corresponding to the locations ui, and huniv is the substringcorresponding to the locations v. For every i ∈ [˜], compute πqi = huniv(zui). Letπq = (πq1 , . . . , πq˜). Output V2

pcp(1κ, x, πq).

This completes the description of the PCP Πpcp. The completeness and soundness properties ofΠpcp are straightforward.

Consider Kilian’s 4-round argument system Π = (P,V) for language L instantiated with thePCP Πpcp, as described above. We will show that Π is 2`(κ)-HVZK, which when combined withTheorem 4.2 yields Theorem 5.8. We first construct a simulator S for Π as follows:

Simulator S. On input a hash function h ← Hcrhκ and randomness r, the simulator S works in

the following manner:

• Run V1pcp(1

κ, r) to compute the corresponding query set q = {q1, . . . , q˜} of V1pcp(1

κ, r), andthe more inclusive query set q = {q1, . . . , q`} of V1

pcp(1κ, r).

• Run the simulator Spcp for the PCP Πzkpcp on input (x, r, q) to obtain πq = (πq1 , . . . , πq˜).

Further, for every j ∈ [|π|] \ q (where |π| denotes the size of the honest proof in Πzkpcp), choose

a random bit πj . Let π = (π1, . . . , π|π|).

• Randomly choose a universal hash function huniv ← Huniv that maps t(κ) bits to a singlebit. Then, for every i ∈ [|π|], choose zi ← {0, 1}t(κ) at random s.t. huniv(zi) = πi. Letπ = (z1, . . . , z|π|, h

univ).

• Run the Merkle Tree hash commitment algorithm commt on input (π, h) to compute thesuccinct commitment cS ← commt(1κ, π, h).

• Run the Merkle Tree hash opening algorithm openmt on inputs {qi}`i=1 to compute openings{ρi = openmt(1κ, π, h, qi)}`i=1. Let ρS = (ρ1, . . . , ρ`).

• Output (cS , ρS).

We prove that for all κ ∈ N, every instance x ∈ L of length at most poly(κ) with a correspondingwitness w, every h ∈ Hcrh

κ , every randomness r of Vpcp,

(h, cS , r, ρS)T≈ (h, c, r, ρ) (5.1)

where (cS , ρS)← S(1κ, x, h, r) and (h, c, r, ρ) denotes a protocol transcript between P(1κ, x, w) andV(1κ, x) with (h, r) as V’s messages. We prove Equation (5.1) via a simple hybrid argument.

23

Hybrid H0: This experiment corresponds to the honest protocol execution for statement x, wherethe verifier’s messages are h and r. The output of the experiment is the protocol transcript(h, c, r, ρ).

Hybrid H1: This experiment is the same as H0 except that the proof string π of the underlyingZK PCP Πzk

pcp is computed in the following manner:

• First run the honest prover algorithm Ppcp on input (x,w) to compute proof string π.

• Let q = {q1, . . . , q˜} ← V1pcp(1

κ, r). Then, for every j ∈ [|π|] \ q, choose a random bit bj andset πj = bj . Let the proof string be π = (π1, . . . , π|π|).

Hybrid H2: This experiment is the same as H1 except that instead of computing the proof string πof the underlying ZK PCP Πzk

pcp as before, we do the following: Run the simulator Spcp on input(x, r, q) (where q ← V1

pcp(1κ, r)) to compute πSq = (πq1 , . . . , πq˜). For every j ∈ [|π|] \ q, we let πj be

a random bit as before. Let the proof string be π = (π1, . . . , π|π|).Note that this experiment corresponds to our zero knowledge simulator S for Π.

This completes the description of the hybrid experiments. In order to conclude our proof, we nowargue that H0 is 2`(κ)-indistinguishable from H2.

Indistinguishability of H0 and H1. Note that the only difference between H0 and H1 is that inH1, for every j ∈ [|π|] \ q, the bit πj is randomly chosen (instead of being honestly computed byPpcp). We argue that despite this difference, H0 and H1 are 2`(κ)-indistinguishable.

Consider the Merkle Tree hash computed over the proof string π. Let the leaves in the treecorrespond to depth 0, and consider the κ-bit hash values at depth 1 in the tree. We denote theset of these hash values by level1. It follows from our construction of the PCP proof string π andfrom Theorem 5.4 that ∀i ∈ [|π|], the ith hash value in level1 (along with huniv) is a 2−(t(κ)−κ−6)/3

hiding commitment of the bit πi.Now, let us consider the modified experiments H ′0 and H ′1 that are the same as H0 and H1

respectively, except that their outputs are modified in the following manner. Instead of outputting(h, c, r, ρ), they output (h, r, πq, level1), where (as defined earlier) πq is the PCP proof substringcorresponding to the query set q ← V1

pcp(1κ, x, r), and as before, level1 is the set of all κ-bit hash

values at level 1 of the Merkle Tree hash. Clearly, the outputs of H ′0 and H ′1 carry no less informationthan H0 and H1, and therefore it suffices to argue 2`(κ)-indistinguishability of H ′0 and H ′1 in orderto argue that H0 and H1 are 2`(κ)-indistinguishable.

Note that the only difference between H ′0 and H ′1 is the manner in which the commitmentsin level1 are computed. In particular, in H ′0, the i’th hash value is a commitment to the bitπi, while in H ′1, each hash value is a commitment to a random bit. If the commitment schemedescribed in Section 5.3 is 2−`(κ)-hiding, then by a standard hybrid argument, H ′0 and H ′1 are2`(κ)-indistinguishable (see Definition 2.1). Thus, by setting t(κ) = 3`(κ) + κ + 6 and invokingTheorem 5.4, we achieve the desired result.

Indistinguishability of H1 and H2. Note that the only difference between H1 and H2 is themanner in which the proof substring πq1 , . . . , πq˜ is computed. Specifically, it is computed bythe honest PCP prover algorithm Ppcp in H1, while in H2, it is computed by the simulator Spcp.Thus, the 2`(κ)-indistinguishability of H1 and H2 immediately follows from the 2`(κ)-zero knowledgeproperty of Πzk

pcp.This completes the proof of Theorem 5.8.

24

References

[AJL+12] Gilad Asharov, Abhishek Jain, Adriana Lopez-Alt, Eran Tromer, Vinod Vaikun-tanathan, and Daniel Wichs. Multiparty computation with low communication, com-putation and interaction via threshold fhe. In EUROCRYPT, pages 483–501, 2012.

[Bar01] Boaz Barak. How to go beyond the black-box simulation barrier. In FOCS, pages106–115, 2001.

[BDNP08] Assaf Ben-David, Noam Nisan, and Benny Pinkas. Fairplaymp: a system for securemulti-party computation. In ACM Conference on Computer and CommunicationsSecurity, pages 257–266, 2008.

[BDSK+13] Nir Bitansky, Dana Dachman-Soled, Yael Tauman Kalai, Sanjam Garg, Abhishek Jain,Adriana Lopez-Alt, and Daniel Wichs. Why “fiat-shamir for proofs” lacks a proof. InTCC, 2013.

[BGW12] Nir Bitansky, Sanjam Garg, and Daniel Wichs. Why “fiat-shamir for proofs” lacks aproof. Cryptology ePrint Archive, Report 2012, 2012. http://eprint.iacr.org/.

[Blu81] Manuel Blum. Coin flipping by telephone. In CRYPTO, pages 11–15, 1981.

[Blu87] Manuel Blum. How to prove a theorem so no one else can claim it. In Proceedings ofthe International Congress of Mathematicians, pages 1444–1451, 1987.

[BLV03] Boaz Barak, Yehuda Lindell, and Salil P. Vadhan. Lower bounds for non-black-boxzero knowledge. In FOCS, pages 384–393, 2003.

[BMG07] Boaz Barak and Mohammad Mahmoody-Ghidary. Lower bounds on signatures fromsymmetric primitives. In FOCS, pages 680–688, 2007.

[BMG09] Boaz Barak and Mohammad Mahmoody-Ghidary. Merkle puzzles are optimal - ano(n2)-query attack on any key exchange from a random oracle. In CRYPTO, pages374–390, 2009.

[BR93] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm fordesigning efficient protocols. In ACM Conference on Computer and CommunicationsSecurity, pages 62–73, 1993.

[CD09] Ronald Cramer and Ivan Damgard. On the amortized complexity of zero-knowledgeprotocols. In CRYPTO, pages 177–191, 2009.

[Cor02] Jean-Sebastien Coron. Optimal security proofs for pss and other signature schemes.In EUROCRYPT, pages 272–287, 2002.

[DFK+92] Cynthia Dwork, Uriel Feige, Joe Kilian, Moni Naor, and Shmuel Safra. Low commu-nication 2-prover zero-knowledge proofs for np. In CRYPTO, pages 215–227, 1992.

[DHT12] Yevgeniy Dodis, Iftach Haitner, and Aris Tentes. On the instantiability of hash-and-sign rsa signatures. In TCC, pages 112–132, 2012.

25

[DNRS99] Cynthia Dwork, Moni Naor, Omer Reingold, and Larry J. Stockmeyer. Magic func-tions. In FOCS, pages 523–534, 1999.

[DOPS04] Yevgeniy Dodis, Shien Jin Ong, Manoj Prabhakaran, and Amit Sahai. On the(im)possibility of cryptography with imperfect randomness. In FOCS, pages 196–205,2004.

[DRV12] Yevgeniy Dodis, Thomas Ristenpart, and Salil P. Vadhan. Randomness condensers forefficiently samplable, seed-dependent sources. In TCC, pages 618–635, 2012.

[FS86] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identificationand signature problems. In CRYPTO, pages 186–194, 1986.

[GK03] Shafi Goldwasser and Yael Tauman Kalai. On the (in)security of the fiat-shamirparadigm. In FOCS, pages 102–113, 2003.

[GKM+00] Yael Gertner, Sampath Kannan, Tal Malkin, Omer Reingold, and MaheshViswanathan. The relationship between public key encryption and oblivious trans-fer. In FOCS, pages 325–335, 2000.

[GMR01] Yael Gertner, Tal Malkin, and Omer Reingold. On the impossibility of basing trapdoorfunctions on trapdoor predicates. In FOCS, pages 126–135, 2001.

[GO94] Oded Goldreich and Yair Oren. Definitions and properties of zero-knowledge proofsystems. J. Cryptology, 7(1):1–32, 1994.

[GW11] Craig Gentry and Daniel Wichs. Separating succinct non-interactive arguments fromall falsifiable assumptions. In STOC, pages 99–108, 2011.

[HH09] Iftach Haitner and Thomas Holenstein. On the (im)possibility of key dependent en-cryption. In TCC, pages 202–219, 2009.

[HM96] Shai Halevi and Silvio Micali. Practical and provably-secure commitment schemesfrom collision-free hashing. In CRYPTO, pages 201–215, 1996.

[HT98] Satoshi Hada and Toshiaki Tanaka. On the existence of 3-round zero-knowledge pro-tocols. In CRYPTO, pages 408–423, 1998.

[IR89] Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-way permutations. In STOC, pages 44–61, 1989.

[Kil92] Joe Kilian. A note on efficient zero-knowledge proofs and arguments (extended ab-stract). In STOC, pages 723–732, 1992.

[Mer89] Ralph C. Merkle. A certified digital signature. In CRYPTO, pages 218–238, 1989.

[Mic94] Silvio Micali. CS proofs. In FOCS, pages 436–453, 1994.

[MNPS04] Dahlia Malkhi, Noam Nisan, Benny Pinkas, and Yaron Sella. Fairplay - secure two-party computation system. In USENIX Security Symposium, pages 287–302, 2004.

26

[Nao03] Moni Naor. On cryptographic assumptions and challenges. In CRYPTO, pages 96–109,2003.

[Pas03] Rafael Pass. Simulation in quasi-polynomial time, and its application to protocolcomposition. In EUROCRYPT, pages 160–176, 2003.

[Pas11] Rafael Pass. Limits of provable security from standard assumptions. In STOC, pages109–118, 2011.

[PS96] David Pointcheval and Jacques Stern. Security proofs for signature schemes. In EU-ROCRYPT, pages 387–398, 1996.

[RTV04] Omer Reingold, Luca Trevisan, and Salil P. Vadhan. Notions of reducibility betweencryptographic primitives. In TCC, pages 1–20, 2004.

[Sim98] Daniel R. Simon. Finding collisions on a one-way street: Can secure hash functionsbe based on general assumptions? In EUROCRYPT, pages 334–345, 1998.

27

On the (In)security of the Fiat-Shamir Paradigm, Revisited

Documents

Transcript of On the (In)security of the Fiat-Shamir Paradigm, Revisited